fix(gen2-migration): handle secrets in function definitions#14851
Draft
fix(gen2-migration): handle secrets in function definitions#14851
Conversation
When a Gen1 function is configured with a secret, the CLI stores
the secret value as an SSM SecureString parameter and sets the
SSM path as the environment variable value. The generate command
now detects env vars whose values match the SSM secret path
pattern (/amplify/<appId>/<envName>/...) and converts them to
Gen2's secret() API in the defineFunction() call.
Previously, these env vars were emitted as literal strings
containing the SSM path. Now they produce:
import { defineFunction, secret } from '@aws-amplify/backend';
...
environment: {
MY_SECRET: secret('MY_SECRET')
}
The existing API_KEY secret handling was a special case of this
pattern and is now covered by the generalized detection.
Updated the product-catalog golden snapshot which contains a
PRODUCT_CATALOG_SECRET env var that triggers this code path.
---
Prompt: Implement issue #14517 — generate command should handle
secrets in function definitions by converting SSM SecureString
parameter paths to Gen2 secret() API calls.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Solves #14517.
Issue Summary
When a Gen 1 function has secrets stored as SSM
SecureStringparameters, thegeneratecommand outputs the raw SSM path as a string literal in theenvironmentblock instead of using Gen 2'ssecret()API. The fix generalizes the existingAPI_KEY-only secret detection to recognize any env var whose value matches the SSM secret path pattern.Reasoning
/amplify/{appId}/{env}/AMPLIFY_{funcName}_{KEY}. The path is set as the env var value, and the function fetches it at runtime via@aws-sdk/client-ssm.secret('KEY')handles this automatically — the value is fetched at function load time and available viaprocess.env.KEY.function.renderer.ts— foundrenderEnvironment()which already had a special case forAPI_KEYthat checked if the value starts with the SSM prefix and emitssecret('API_KEY'). But it was hardcoded to only match the keyAPI_KEY./amplify/{appId}/{envName}/is treated as a secret, using the env var's own key name in thesecret()call.Solution
function.renderer.ts— Changed the secret detection fromkey === 'API_KEY' && value.startsWith(...)to justvalue.startsWith(ssmSecretPrefix). Thesecret()call now uses the actual key name instead of hardcoded'API_KEY'.function.generator.test.ts— Added test'renders SSM secret env vars as secret() calls'that mocks a function with two SSM-path env vars and one regular env var, verifying the output usessecret('MY_SECRET')andsecret('ANOTHER_SECRET')while keepingDB_HOST: 'localhost'as a literal.lowstockproducts/resource.tsgolden snapshot (the function had an SSM-path env var that now renders assecret()).Example
Input (Gen 1 — deployed function config):
{ "Environment": { "Variables": { "MY_SECRET": "/amplify/d1abc2def3/main/AMPLIFY_myFunc_MY_SECRET", "DB_HOST": "localhost" } } }Output — before fix (resource.ts):
Output — after fix (resource.ts):